Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:16 AM
Connect Directly

Don't Count Out Active Directory For Cloudy Future

AD isn't going anywhere anytime soon

Because Active Directory (AD) was first developed in an era before SaaS services, some security proponents might make the case that it hasn't adapted well enough and doesn't have the architectural flexibility to future-proof itself within the increasingly cloud- and mobile-centric enterprise.

However, plenty of others out there will tell you not to count out AD yet. Not only is Microsoft gaining ground at honing AD's cloud capabilities through Windows Azure Active Directory and further refinements of Active Directory Federation Services (ADFS), but AD also is so completely ingrained within the fiber of just about every big enterprise out there that it's not going anywhere anytime soon.

"It will be a while before the dust settles around these [cloud identity providers], and in the near term it's hard to see any one particular play winning," says Scott Crawford, analyst for Enterprise Management Associates. "But you simply can't count out the value of Active Directory and of extending that from the enterprise to third-party services because it is so well-established."

[What IAM gaffes are you making? See 7 Costly IAM Mistakes.]

Active Directory is a good platform for the cloud, says Phil Lieberman, founder of privileged identity management firm Lieberman Software.

"AD can be used in so many ways. Microsoft is already using it for hundreds of millions of users as the basis for all of its cloud-based services, so scalability isn't an issue," Lieberman says. "It's just a place to store stuff about identities and information about what they can do. Out of the box it ties all of the Microsoft stuff together, but there was never a restriction that said you couldn't use it for something else."

For example, you can change the schema and you can plug in another authenticator, he says.

"It just uses Kerberos, but if you want to use something else or federate with something else, you can absolutely do that," Lieberman says.

With respect to federation, Jackson Shaw, senior director of identity management for Quest Software, a Dell company, says that too many cloud IAM providers with a clear agenda have overblown ADFS pain points to make it a bit of a four-letter word. But he believes that there's another four-letter word that IT buyers should use against these vendors: free.

"One of the basic problems with ADFS that is overblown is just the fact that a customer will see that it needs to use some sort of a certificate or PKI and will immediately go 'deer in the headlights,'" he says. "But the fact of the matter is any product that uses federation requires a certificate."

So even though the free product will cost money, the truth is that deployment headaches won't go away altogether. Shaw suggests customers use this fact to their advantage, even if they don't choose to use ADFS.

"Free doesn't necessarily mean 'free,' but it can also be used by customers as a bargaining chip when they're buying software," he says. "A customer who's smart about things and is educated a little bit can have that discussion -- can save themselves some money even when they know that they don't want ADFS or can't use it."

However, organizations should give the technology a chance, Shaw says. Though ADFS did face its share of early-generation roughness, Microsoft has been working the kinks out.

"Microsoft gets things right after the third or fourth try. They've got the staying power to have that runway to perfect things before they take off," he says. "I think you can see that with some of the work they've done around integrating an on-premise directory with Office 365, they're starting to sharpen their pencil."

Besides, Lieberman says, it would be somewhat disingenuous to say slow uptake of ADFS is failing on behalf of Microsoft's part. He believes the question shouldn't be so much about why ADFS has not had tremendous uptake in the years it has been out, but instead why federation itself hasn't taken root in the enterprise.

"Federation is rare in the enterprise today," he says. "ADFS is an enabler for federation. Of course, it's like a gym membership. You can buy it, but it doesn't mean you're going to go there."

In the end, the toughest nuts to crack around IAM deployments in the cloud, around single sign-on, and around federation really have nothing to do with AD or any individual technology. It all boils down to the underlying business processes these technologies are meant to facilitate.

"Deployment to integrate identity management with these services is more than just connecting the dots through federation," Crawford says. "There's user management and provisioning, there's access management on the part of the target service, and then there's the granularity of access management."

But where things go wrong when putting all of these pieces together is that the IT departments don't understand the business processes they'll be built around to set up a successful deployment. And there's just no technology to solve that problem.

"For a long time one of the biggest issues the systems integrators faced is that you have to understand how the organization's business process work to know what privileges would be correct," he says. "A lot of times the customer didn't understand that themselves. So what started out as an identity management deployment often wound up being a business process management consulting engagement."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-21
Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BM...
PUBLISHED: 2020-02-21
Information-disclosure vulnerability in Netsurf through 2.8 due to a world-readable cookie jar.
PUBLISHED: 2020-02-21
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses...
PUBLISHED: 2020-02-21
Multiple unspecified vulnerabilities in Autonomy KeyView IDOL before 10.16, as used in Symantec Mail Security for Microsoft Exchange before 6.5.8, Symantec Mail Security for Domino before 8.1.1, Symantec Messaging Gateway before 10.0.1, Symantec Data Loss Prevention (DLP) before 11.6.1, IBM Notes 8....
PUBLISHED: 2020-02-21
Insecure plugin update mechanism in tucan through 0.3.10 could allow remote attackers to perform man-in-the-middle attacks and execute arbitrary code ith the permissions of the user running tucan.